Every once in a while I have to set up an account on a site that, while apparently at least not storing my password in plaintext, still force me to choose from a limited set of security questions that can be used for password recovery purposes. Since the questions are usually moronically easy to answer by some googling or social engineering (à la "What's you mother's maiden name?") what is the correct approach when I cannot avoid using this account?

4 Answers
4

"Security questions" are just an alternative password which is not used often, but which, presumably, will not be forgotten by the user. Since it is a password-equivalent information, treat it as such: use true, high-entropy passwords as answers to security questions. Of course, since you will not enter these often, you should write them down on a paper, stored in a safe place (they are meant to be used as a backup for the "true" password; you do not need them often).

(Note: most systems will handle responses to security questions in a case-insensitive way, which decreases the "entropy" of that password -- hence, make it even more random. 15 random letters would be enough.)

One site I went to used the same "security questions" online as on the phone. which made for a strange conversation when I had to explain that my mothers maiden name was a mixture of numbers, non-alphanumeric characters and letters. (this is an example of bad practice btw. never use full security questions on phone and online)
–
Callum WilsonJan 28 '13 at 12:45

1

Due to the case-insensitivity and @Callum's mentioned trouble on the phone, some passphrase generator instead of a pass𝑤𝑜𝑟𝑑 one might help (edit Since I used it in my comment, you'll possibly have loads of fun by (ab)using unicode...)
–
Tobias KienzlerJan 28 '13 at 13:23

So, random data stored in password manager along with passwords good enough? @Callum yeah, I know a few banks that do that.
–
ewanm89Jan 28 '13 at 13:48

4

My personal favorite is a site that because "OMG Keyloggers" urged me to pick one of ~20 default answers for its insecurity questions. Utterly appalled I typed my own answers in anyway only to find that when using them that instead of a textbox, I was given a dropdown containing 3 of the defaults + my manually entered one.
–
Dan NeelyJan 28 '13 at 14:42

My current "solution" is entering an arbitrary long senseless sentence that I don't even intend to remember and instead store that and my password in (separate) KeePass files, and maybe complaining to the webmaster about this. That way it's unlikely someone else can answer the "secure" question without any less effort than attempting to directly crack my password, but I'm still not too happy with this...

that's why storing that "junk" somewhere might come in handy. although that storage might just as well contain your actual password - unless the provider decides to issue a global password reset that can only be accessed by answering the security question m-/
–
Tobias KienzlerJan 28 '13 at 13:26

Think of a list of questions you think are good security questions for you. Use these at the better sites that allow you to phrase your own security questions. Eg Ben's car in HS?. For the sites with the moronic questions (eg mother's maiden name), map their questions to your questions. So answer to Mother's Maiden name may be '1960' (since what I remember was how ancient Ben's car was). You could use the same mapping each time (ie maiden name always maps to 1960) or you mix them up and just keep the 'key' (ie which moronic question goes with which real question).

The issue with a shared secret is that it can't be a secret if it's public. What the above allows you to do is move the 'secret' to being the question mapping.

The thing is, once I start mapping their sub-sophisticated to a "good" question that I have to write down, I might just as well fill the answer with high-entropy stuff and write that down instead...
–
Tobias KienzlerJan 28 '13 at 13:02

True. And none of this will beat a keylogger. Multi-factor is really what should be used for any reasonable degree of trust.
–
DuncanJan 28 '13 at 13:05